Everyone loves to hate NK

Some experts don’t believe North Korea was involved in Sony hack

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Now that Sony’s controversial movie The Interview is being streamed online via Google Play and other services, many are celebrating this as a gesture of defiance towards North Korea, and the dictatorship’s threats related to the film’s release — allegedly the reason for the hack that hit Sony earlier this month. But do we know for a fact that North Korea was the mastermind behind this attack? A number of prominent security analysts aren’t so sure.

There was much debate about the actual culprit following the release of Sony’s hacked emails, until the FBI said that it had conclusive evidence that North Korea was involved. But security experts like Bruce Schneier and Marc Rogers — a security analyst for the content-delivery network Cloudflare — say they don’t see the federal agency’s evidence as being all that persuasive. Here’s a look at what the FBI claims, and what skeptics like Schneier and Rogers argue:

Re-use of similar code: The bureau said one of the elements of the hack that suggested North Korea was involved was the use of code fragments that have been used in other cyber-attacks or hacking attempts in which the dictatorship was proven to be involved. As the FBI release described it:

[blockquote person=”” attribution=””]”Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”[/blockquote]

But Rogers says this isn’t really a smoking gun — the code he believes the FBI is talking about, known as Shamoon, is known to have been leaked widely and is now available for any criminal hacker to use, so it can’t really tie Sony conclusively to North Korea. Schneier, meanwhile, said that re-use of code is actually a fairly compelling argument for it not being the work of the North Korean government — although he said the North Korean regime may have stepped in later to take advantage of the hack for PR purposes.

Cyber attack written newspaper

Use of known IP addresses: The FBI’s other main piece of evidence that North Korea was involved was the fact that a number of specific IP addresses or domains were “hard coded” into the software used in the hacking attack, addresses that were known to have been used in previous attacks involving North Korea:

[blockquote person=”” attribution=””]“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”[/blockquote]

But Rogers says the “naivety of this statement beggars belief.” Just because a system with a particular IP address was used for a cyber-crime doesn’t mean that it will always be associated with crimes, he says. Many IP addresses are dynamic, meaning they are part of a pool that internet providers draw from and assign randomly. And the fact that some of those IP’s are known proxies meant to throw security researchers off the trail doesn’t necessarily mean North Korea is involved (there’s more technical detail here).

Ties to the movie: Both Rogers and Schneier note, as others have as well, that the connection between the movie The Interview and the hack attack itself was only made after the emails were released, and was a theory promoted mostly by the media — the movie itself wasn’t mentioned by the hackers in any of their communications with Sony until after it had become a media story. Both analysts believe the hackers may have played up this connection for “the lulz.”

Rogers notes that the use of passwords and other security features suggests that the hack involved at least one Sony employee or former employee, since the hack relied on an “extensive knowledge” of the company’s internal systems and procedures. While that doesn’t mean it was necessarily an all-inside job, it suggests that whoever masterminded the attack likely had help from someone on the inside. And an analysis of the language used in the software indicates it is more likely to be a Russian speaker than a North Korean speaker.

Schneier, Rogers and a number of other experts also noted that the FBI could have classified information that it isn’t able to release that conclusively ties North Korea to the crime — but they also point out that the U.S. government claimed to have similar evidence that Iraqi dictator Saddam Hussein had “weapons of mass destruction,” and that turned out to be a bust. Whether North Korea joins that list of ignominious foreign-intelligence gaffes remains to be seen.

6 Responses to “Some experts don’t believe North Korea was involved in Sony hack”

  1. Gerrit Hendrik Schorel-Hlavka

    To me it seems to be more a political motivated battle to attack North Korea then anything else. Having read the article and those linked to it I couldn’t really find the so to say “silver bullet” that North Korean Government had anything to do with it. It is of concern that these allegations have been made against North Korea as possible for political motives. Where North Korea offers to have a joint investigation then why not accept this? There are ample of allegations abound against North Korea as we had for example with the late President Saddam Hussein with his alleged WMD (Weapons of mass destruction) and the destruction of Iraq into the Stone Age and the killing of so many innocent lives, and for this we must be very cautious not to accept any allegation as being facts. Considering how the CIA operated world wide in torture and so much initially denied, it becomes the “good” being the USA versus the “bad” North Korea to be no more but some movie script as the USA is far from “:good”. I do not have any special inside knowledge of North Korea and how it is portrayed to be, as quite frankly much of it is propaganda to serve some persons on whatever side of the fence they are. What we must not do is that whenever some expert makes a claim to twist fiction into facts we just go along with the mass brainwashing. A clear example was where some person claimed to be a German pilot who claimed that there were round bullet holes in the debris of MH!&. A proper look at the various parts shows they are in fact rivet holes where you can see on the images rows of rivets having been torn through the plates. No weapon could possibly shoot into a flying plane bullet holes in precisely identical distance from each other, which itself ought to have been a clear clue it never could have been bullet holes. As such, I for one prefer to await a full and open transparent investigation by all countries involved. The question is can be ever anticipate such kind of inquiry!

  2. Are you serious? Comparing intel on WMDs in Iraq to a elctronic hack on the internet?
    You can thank George W, Bush for purposely ignoring mounting evidence from German and French authorities that their initial source was a fraudulent taxi driver posing as a chemist from a weapons program that didn’t exist, so he can get asylum and a free apartment in Germany if he kept up the ruse.

  3. Vlad Preoteasa

    It’s like they’re trolling the FBI. Feeling pretty meta right about.

    This isn’t about terrorism, it’s about ethics in journalism… maybe ethics in security too.